Error: New-AzADServicePrincipal: Values of identifierUris property must use a verified domain of the organization or its subdomain

[dcaro]

Context

Error New-AzADServicePrincipal: Values of identifierUris property must use a verified domain of the organization or its subdomain' is displayed when running New-AzADServicePrincipalorNew-AzADApplication`.

Due to the Azure Active Directory breaking change requiring AppId Uri in single tenant applications to require use of default scheme or verified domains you must upgrade the Az.Resources modules to version 4.1.0 or later to continue using New-AzADServicePrincipal or New-AzADApplication cmdlets.

You can also upgrade to Az version 6.0 or greater.

Timeline

The requirement will be in effect starting 10/15/2021.

Impacted versions

The following versions of Azure PowerShell are impacted by the AzureAD breaking change:

• Az.Resources PowerShell module version 3.5.1-preview or lesser.
• Az PowerShell module version 5.9.0 or lesser.

If you are still encountering issues after upgrading, feel free to open an issue

Workaround

If you cannot upgrade to the PowerShell modules described above, you may update your script to follow those steps when creating a service principal:

• If needed, add your custom domain name using Azure Active Directory portal
• Create an application with an IdentifierUri accepted by you tenant
• Create a service principal referring this application

[saldroubi]

Still getting same error:

I have upgraded to AZ version 6.5.0

Get-InstalledModule -Name az

Version Name Repository Description

---

6.5.0 Az PSGallery Microsoft Azure PowerShell - Cmdlets to manage resources in Azure.

I am still getting an error when I run this command
$servicePrincipalObj = New-AzADServicePrincipal -DisplayName $spName -SkipAssignment -scope "" -EndDate $endDate

Line |
186 | … ncipalObj = New-AzADServicePrincipal -DisplayName $spName -SkipAssign …
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| Values of identifierUris property must use a verified domain of the organization or its subdomain: 'http://sp-vera-workspace-unitysandbox'

So the update didn't seem to help. Please let me know how to fix this. I can't add a custom domain as indicated by the workaround. So how can I fix this?
Thank you.

[dcaro]

@saldroubi please create a new issue specific to your situation, and you can refer to this issue.

[venkateshtarra]

@dcaro I am also facing similar issue. Can you please provide some solution to fix this issue.

Thanks in advance.
Venkatesh Tarra.

[bganapa]

The issue is applicable to AzureRM.Resources module and New-AzureRMAdServicePrincipal as well. (recommended to move to Az, as AzureRM is on deprecation path)

[bganapa]

The issue is applicable to AzureStack specific Az modules as well. The workaround mentioned in the issue description will work against azure stack. we do plan to release a new Az.Resources module for AzureStack

[RyanD2596]

Can someone confirm if you will still be able to use any domain without it being verified in AAD as long as you update the module?

The way it's worded makes it sound as if the workaround is to verify the domain in AAD if you can't update your modules, therefore if you update you can continue using as is.

We use dev.azure.com in these fields and obviously can't add this to our AAD tenant.

[saldroubi]

After I ran the update this issue went away.

[dcaro]

AzureAD imposes the identifierUris to use the default scheme or verified domain, Az.Resources has been updated to reflect this new requirement.
The updated module, does not set any value for the identifierUris property for the application associated with the service principal.

@RyanD2596 we provided the workaround in the case of updating the module is a problem but not to the new requirement. I have updated the wording hoping this brings more clarity.

[mileee6]

Hi,

I'm having the same issue, I have az.resource 4.4.1 and its asking me to fill up identifierUris, can you confirm is this will be mandatory?

[dcaro]

It depends on the configuration of your tenant, if your tenant does not allow empty identifiedUris, you will have to specify a valid value when creating a service principal or an application. The Azure Active Directory documentation has more details on the requirement that they are now imposing.

[mileee6]

Thanks, so its only mandatory when its created thought powershell because when I create through portal is not mandatory.

[mileee6]

Also I looking for help about the right API permissions that a serviceprincipal must have to register new app.
I already give this permissions but I'm still having having error : Resource not found for the segment 'me'.

Do you know where can I address this? Thanks in advance
Application.ReadWrite.All
Application.ReadWrite.OwnedBy
Directory.ReadWrite.All

[DrReedo]

Hi @mileee6

We have Files.ReadWrite.All and AllowedMemberTypes contains 'Application' as permissions for our serviceprincipal to register the new app.
This link may help you:
https://stackoverflow.com/questions/63618480/what-are-the-required-permssions-for-azure-devops-to-execute-get-azureadservicep

[dvelovic]

Try using @{add="https://identifierURL"}

$app1 | Set-AzureADApplication -IdentifierUris @{add="http://adapplicationregistry.onmicrosoft.com"}

[dingmeng-xue]

Close this issue as feature is enabled on service side.